-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michiel,
On 08/22/2012 01:45 PM, Michiel Piscaer wrote: > Hi, > > We can't reach the domainname gruintjes.nl, when we look into the > logging with verbosity: 2 we got the following messages: val-log-level: 2 shows a detailed error, here validation failure <gruintjes.nl. A IN>: No DNSKEY record from 217.170.1.241 for key gruintjes.nl. while building chain of trust > > We are using unbound version 1.4.16. > > When we snif the packet we do not see any problems except that the > nameservers ns1.hix.nl and ns2.hix.nl are mentioned 8 times in the > additional section, also the nameserver ns-3.eu. is not > responding. There is a gruintjes.nl DS record, but the nameservers do not have any DNSSEC information at all. I should say, the answers that I got did not contain any DNSSEC, some imposter must have removed them and therefore it is considered false information. But I surmise that this is a configuration problem of gruintjes.nl : enabled DNSSEC with a DS record in the parent but does have DNSSEC records in the zone. > But I do not think that this would be the problem. > > So I can't find the solution on this problem? Can you get "hix.nl" to sign gruintjes.nl (they must have this planned since there is a DS record). Or remove the DS record. Normally, you first sign the domain, then publish the DNSSEC records, and only then put the DS up. (to make your life happier, if you decide to remove the DS record, the domain name will likely start to work very quickly (with a much lower TTL than usual): because of the DNSSEC-bogus indication, unbound keeps fetching fresh data for this name frequently (BIND has similar behaviour)). If you have no way to engage with hix or mr.gruintjes, then there is the config option domain-insecure: "gruintjes.nl" that would instruct unbound to ignore DNSSEC for the domain name. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQNNSVAAoJEJ9vHC1+BF+NBpoQAKo3tjrmmLZl91cg7RZhw51y zxA5/0+l9JAX+WbX7w3eqsUv1J01xFAd7sntZe7fBxbAtXYBWpi7ccb39cnTCMLP S7GlLXSQITS1Gp8bAk0YQhHJGMRsk1VeX56rbGzq0CIdQqiuY/q3QxuIW/UXpCTu DV07sdpABw3bpXAWTMroTbqHr3d9bywQImoUDbyB4Ao1+i2DPFmXilEkQ+lcqfWi LqvIotmKcGIG0FVXfx0BztfrdkxGLW7QkafYSWAnVK5qkga7gVwnudnoLtEAPeKJ /ERXGEbW+jz1mwWu997uA4t4Wfwm6K67repuBfFHMcbrgbh7O5DAcGTPq9E5sfWN 5vuSmrK8rKbk9AP6Y3IDMRtZE36ohDThc1hZHllp8LRSChmqGxfFucLiXkODccFt /S5DPFYIYyWFxevpCOcWXigTCCQHUqdEKtnXS3+aOBWrnR8DcJy03vYeoFj4I6iP hC4kdla/PgYZ4hJsIcRJNNroko/YztGG4gIpaQjUD/hgSnt4ZX+pnXR5OdZZRJcv PNEubJ9R5WL4qGX2feMcyrjJmGKXNNG1P87+agnSzWMw4iljN34ZioOVfTD8pNM5 M5It8QHJM3CZ+TmAPsN1TnAMpSvqDMv1Cb+EMh37Dz6P+N4B0/jfzA5Go/QnIjx5 1SIkQI2DxWVORUlzhBxb =9hC8 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
